ClawHub

飞书全场景待办助手

Security checks across malware telemetry and agentic risk

Overview

This Feishu todo skill is mostly aligned with todo and calendar management, but it can store and transmit task details using broad automatic triggers and hard-coded Feishu recipients.

Review carefully before installing. Use it only if you are comfortable with message-derived tasks being saved locally and potentially synced or sent through Feishu; remove the hard-coded Feishu user IDs and make calendar sync, reminders, and cron scheduling explicit opt-in before using it with sensitive tasks or private links.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Tp4

High
Category
MCP Tool Poisoning
Confidence
82% confidence
Finding
The skill description underspecifies important behaviors such as scheduled background reminders, proactive outbound messaging, and persistent local logging. Even if these behaviors are related to todo management, failing to disclose autonomous execution and external message sending can surprise users and operators and create privacy or abuse risks.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The code hard-codes a specific Feishu user ID and automatically adds that account as an attendee to every created event, regardless of the actual user or request context. This can leak task titles, descriptions, and schedule details to an unrelated account and may create unauthorized invitations or calendar disclosure.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The helper silently sends todo contents to a hard-coded Feishu recipient via a local CLI rather than an explicit, user-scoped API integration. Because todo content may contain sensitive personal or business data, this creates a real confidentiality risk and can direct all reminders to an unintended account without per-user authorization.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This script creates a persistent per-user cron job that executes every minute and writes to /tmp, extending the skill's behavior beyond on-demand Todo/calendar handling into continuous host-level scheduled execution. In an agent skill context, this persistence is risky because it can survive normal runs, consume resources, and provide a foothold for unintended repeated execution if the script or its path is later modified.

Vague Triggers

High
Confidence
90% confidence
Finding
The trigger policy is extremely broad and includes ordinary conversational patterns like mentioning tasks, schedules, or asking what to do next. In a messaging environment, this can cause the skill to activate on unrelated private conversations, automatically persist content, and potentially sync sensitive text into todo storage or calendars without sufficiently explicit intent.

Vague Triggers

High
Confidence
93% confidence
Finding
The phrases used to define activation, such as 'contains todo description,' are too subjective and not operationally bounded. Ambiguous triggers increase the chance of accidental data capture, unintended file writes, and external actions based on normal discussion rather than a deliberate user request.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill stores message-derived todo data in a local workspace file but does not warn users that their content will be persisted. This creates privacy and retention risks, especially if messages may contain sensitive personal, business, or third-party information that users did not expect to be written to disk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Automatically writing tasks to Feishu Calendar and creating reminders affects external systems and may expose sensitive task details, timing, and links beyond the immediate conversation context. Without explicit warning and consent, users may unknowingly cause scheduling changes or disclosure into a broader calendar surface.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The eval examples encourage broad natural-language capture of todos such as general task statements with times and links, but they do not define clear boundaries or user-confirmation rules. In a multi-channel assistant, this can cause over-collection or unintended persistence of ordinary conversation, creating privacy and integrity risks by saving messages as tasks when the user did not explicitly intend that action.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The sync function sends todo content and due-time information to Feishu as calendar event metadata, but this file shows no visible consent gate, warning, or data-minimization step before transmission. In this skill context, users may submit tasks over multiple channels, increasing the chance that sensitive personal or work information is silently synchronized to an external service.

Natural-Language Policy Violations

Medium
Confidence
82% confidence
Finding
Hard-coding the timezone to Asia/Shanghai can cause events to be created at the wrong time for users in other regions, which may lead to missed meetings, unintended reminders, or inaccurate scheduling decisions. In a calendar-sync skill that accepts tasks from multiple channels, this context increases the risk of silent, user-impacting scheduling errors.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script exports reminder text, including raw todo content and due times, to an external messaging channel without any consent, notice, or content minimization. In this skill context, todo items can easily contain sensitive schedules, names, links, or internal work details, so automatic transmission increases privacy and data-leakage risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal